Introduction
In the year of 2023, we discovered novel attacks for home wireless mesh networks.
Simply speaking, the control protocols over backhaul wireless links can be tampered with. As a result, an attacker who has a (fronthaul) Wi-Fi passphrase can obtain root shells on access points, and/or steal fronthaul/backhaul Wi-Fi passphrases.
Obtaining a root shell allows an attacker to capture/inject wireless packets, to change Wi-Fi passphrases to attacker-controlled values, among others. Stealing fronthaul/backhaul Wi-Fi passphrases allows an attacker to evade network access revocations.
Publication
Untangling the Knot: Breaking Access Control in Home Wireless Mesh Networks [PDF]
Xin’an Zhou, Qing Deng, Juefei Pu, Keyu Man, Zhiyun Qian, Srikanth V. Krishnamurthy
In Proceedings of the ACM CCS 2024 (accepted in the first cycle), Salt Lake City, UT.
Presentations
Fallen Tower of Babel: Rooting Wireless Mesh Networks by Abusing Heterogeneous Control Protocols
Black Hat USA 2024
Affected Vendors/Products
Note that the two types of security flaws we found are general, impacting the whole Wi-Fi mesh industry. If you don’t find your brand of choice above, it is still possible that your mesh network is vulnerable.
Open-Source Timeline
The full exploitation code will be available before the ACM CCS 2024 publication date (10/2024). At this stage (08/2024), we still want to give vendors and users more time to deploy patches.